Gang caged over £1 million Next Directory scam masterminded by a Scots internet hacker

Mullen – who was caged for 18 months – preyed on punters who used the same log-ins – then one he’d gained access to their details made them available on the “dark web” which is not visible to “normal” users.

Among those in the gang was mum of two Leisha Johnstone, of Annan, Dumfries, who received a 12-month sentence.

The information, hidden from search engines, netted the users £64,000 of goods from the Leicestershire clothing and homewares giant.

Leicester Crown Court heard the scam was perpetrated across the UK.

Log-in details for 280 legitimate mail order accounts were sold on to other fraudsters, via Facebook closed groups.

The details were not leaked or stolen from Next organisation, whose security system was not infiltrated, but were obtained by banking and other internet fraud.

Matthew Lowe, prosecuting, said: “The Next customer account details became available on the deep or dark web.”

They were obtained by Mullen, 30, who recruited mother-of-five Toni Louise Willis to sell “large amounts” of information using PayPal or bank transfer.

Willis, 32, of Chelmsford, Essex, in turn recruited Johnstone, 25, to also sell the information.

“All of you saw an opportunity to make easy – and you thought risk-free – money at the expense of Next Plc.It wasn’t sophisticated, but it was persistent.

“The losses were not insignificant, but the potential losses were very significant. I must take into account the impact upon the victim in this case – Next plc.

“Although the actual loss doesn’t strike me as being very considerable for that very large company, the reputational loss is incalculable.

“It doesn’t take much imagination to understand that members of the public hearing of offences like these will not go near a Next account with a barge pole, they will consider, whether accurate or not, that they may be at risk of having their account details stolen.

“It’s not a case in which the slightest responsibility applies to Next for your offending or for their account details being stolen.

A sixth defendant, Rachel Wall, 30, of Gorleston, Norfolk, who had used compromised accounts to obtain £11,000 of goods, but had not passed or sold details on, also admitted the conspiracy.

She was given a six month sentence suspended for 18 months.

Speaking after the hearing, Det Chief Insp Ed McBride-Wilding said: “The targets were customers who used the same log-in and password for other online accounts where their details had been stolen during data breaches involving other companies.

“This case emphasises the need to use different passwords for every business and home account or application.”

A Next Plc spokesman said: “We were pleased the judge commended Next’s security systems and we’d like to reiterate that at no point was any customer data hacked or stolen from Next.

“We are also pleased our customers suffered no financial loss and we were able to act very quickly.”

The defendants are due to face a proceeds of crime confiscation hearing in May.